[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2



 In your previous mail you wrote:

   If I'm understanding Francis correctly, I think I
   agree. Identity should not be bound up with IP
   addresses where the credential does not otherwise
   require it, cf x.509, kerberos, etc. The general
   flow on the incoming side should be:
   
=> my message was about IKE itself, not IPsec... But IPsec
is another example of ACL-like validation because only some
transforms/modes provide integrity check over addresses
(something stronger than the check against SA/SPD selectors).

Regards

Francis.Dupont@enst-bretagne.fr